Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2023 11:19
Behavioral task
behavioral1
Sample
56436.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
56436.exe
Resource
win10v2004-20230220-en
General
-
Target
56436.exe
-
Size
17KB
-
MD5
c809335d893e45403a4b3a2f057912d4
-
SHA1
e98ccab279d633a8ab0e66ad7812fb4d5a656dba
-
SHA256
fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4
-
SHA512
5f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14
-
SSDEEP
384:9GDRfRdKatRiWfu+/oEIPJvnbisVKi6yrLu2s2:9GF5dKat32+IRmua2
Malware Config
Extracted
revengerat
Guest
structure-processor.at.ply.gg:45659
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-54-0x0000000000080000-0x0000000000088000-memory.dmp revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat behavioral1/memory/1368-64-0x0000000000320000-0x0000000000328000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1368 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
56436.exeClient.exedescription pid process Token: SeDebugPrivilege 1500 56436.exe Token: SeDebugPrivilege 1368 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
56436.exedescription pid process target process PID 1500 wrote to memory of 1368 1500 56436.exe Client.exe PID 1500 wrote to memory of 1368 1500 56436.exe Client.exe PID 1500 wrote to memory of 1368 1500 56436.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56436.exe"C:\Users\Admin\AppData\Local\Temp\56436.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
17KB
MD5c809335d893e45403a4b3a2f057912d4
SHA1e98ccab279d633a8ab0e66ad7812fb4d5a656dba
SHA256fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4
SHA5125f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
17KB
MD5c809335d893e45403a4b3a2f057912d4
SHA1e98ccab279d633a8ab0e66ad7812fb4d5a656dba
SHA256fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4
SHA5125f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14
-
C:\Users\Admin\AppData\Roaming\Client.exeFilesize
17KB
MD5c809335d893e45403a4b3a2f057912d4
SHA1e98ccab279d633a8ab0e66ad7812fb4d5a656dba
SHA256fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4
SHA5125f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14
-
memory/1368-64-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/1500-54-0x0000000000080000-0x0000000000088000-memory.dmpFilesize
32KB
-
memory/1500-55-0x0000000001EA0000-0x0000000001F20000-memory.dmpFilesize
512KB
-
memory/1500-56-0x0000000001EA0000-0x0000000001F20000-memory.dmpFilesize
512KB